Authorization for SAP Invoice and Goods Receipt Reconciliation

Users of the SAP Invoice and Goods Receipt Reconciliation application accessing the data replicated from the SAP ECC system use SAP HANA studio users. There is no direct relationship between a user in ECC Server and the corresponding user in the SAP HANA studio accessing the analytic application. Therefore, it is necessary to configure various authorization-relevant settings in the SAP HANA studio to restrict access to the replicated data.

Authorization Settings

Prerequisites

You must ensure that users have the right level of authorization to access data replicated from SAP ECC, and that it is available in the analytic application. To do so, ensure that the following authorization-relevant settings have been made:

To enable access for users to the SAP Invoice and Goods Receipt Reconciliation application, an administrator has created users in the SAP HANA studio.
You have installed and activated the virtual data model views for ECC and SAP Invoice and Goods Receipt Reconciliation in the SAP HANA studio.
You have configured data replication between the ECC server and the SAP HANA server. For more information, see the Installation Information chapter in this guide, as well as the documentation available on SAP Help Portal at http://help.sap.com/hba Application Help SAP HANA Live for SAP ERP SAP Invoice and Goods Receipt Reconciliation .

Settings for Business Users

Grant authorization to users that only need to access the analytic application as follows:

Create and assign analytic privileges to users for granting access to the following query views from the package sap.hba.apps.grircm.views:
- GRIRAccountingDocumentQuery
- GRIRClearingMonitorDigestQuery
- GRIRClearingMonitorQuery
- GRIRClearingMonitorStatusClearedQuery
- GRIRClearingMonitorStatusOpenQuery
- GRIRClearingMonitorStatusQuery
- GRIRFiscalYearPeriodQuery
- GRIRGoodsReceiptQuery
- GRIRInvoiceReceiptQuery
- GRIRNumberOfOpenItemsQuery
- GRIRNumberOfPurchaseOrderItemsQuery
- GRIROpenItemAgingQuery
- GRIROpenItemQuery
- GRIROwnUserContactDataQuery
- GRIRPurchaseOrderClearingAgingQuery
- GRIRPurchaseOrderHistoryQuery
- GRIRPurchaseOrderItemDigestQuery
- GRIRPurchaseOrderQuery
- GRIRPurOrdHistoryWithDeliveryCostsQuery
- GRIRStatusNumberOfPurOrdItemsQuery
- GRIRUserContactDataQuery
- GRIRUserDefaultContactDataQuery
- GRIRVendorContactDataQuery
- GRIRVendorDefaultContactDataQuery
- SAPClientQuery
- CompanyCodeQuery
As you can also call these views directly, it is best to at least restrict the authorization to SAPClient and CompanyCode. You can access the data for the value help (F4 help) of company codes that is shown in the Personalization screen of the SAP Invoice and Goods Reconciliation monitor by the view CompanyCodeQuery. You can access data for the value help (F4 help) of the client that is shown in the Personalization screen of the SAP Invoice and Goods Reconciliation monitor by the view SAPClientQuery.

Recommendation
SAP recommends that you create analytic privileges for the above query views with restrictions on the view attributes according to your business requirements.
Create and assign analytic privileges to users for granting full access to the non-query views consumed by the query views listed above. These views are part of the SAP Invoice and Goods Receipt Reconciliation virtual data model. Include the views listed below from the package sap.hba.apps.grircm.views:
- GRIRAccountingDocument
- GRIRClearingMonitor
- GRIRClearingMonitorDigest
- GRIRPurchaseOrderItemDigest
- GRIRClearingMonitorStatus
- GRIRClearingMonitorStatusCleared
- GRIRClearingMonitorStatusOpen
- GRIRFiscalYearPeriod
- GRIRGoodsReceipt
- GRIRInvoiceReceipt
- GRIRNumberOfOpenItems
- GRIRNumberOfPurchaseOrderItems
- GRIROpenItemAging
- GRIROpenItem
- GRIRPurchaseOrder
- GRIRPurchaseOrderClearingAging
- GRIRPurchaseOrderHistory
- GRIRPurchaseOrderHistoryWithDeliveryCosts
- GRIRStatusNumberOfPurchaseOrderItems
- GRIRUserContactData
- GRIRUserDefaultContactData
- GRIRVendorContactData
- GRIRVendorDefaultContactData
Create and assign analytic privileges to users for granting full access to the non-query views consumed by the SAP Invoice and Goods Receipt Reconciliation Monitor application from SAP HANA Live for ECC. These views are part of the SAP HANA Live for ECC virtual data model. Include the views listed below from the package sap.hba.ecc:
- AccountingDocumentType
- AccountingPeriod
- BKPF
- BSEG
- CalendarYearBasedVariant
- CommunicationMediumTypeName
- CompanyCode
- Country
- CreditControlArea
- Currency
- DunningArea
- DunningBlockingReason
- FinancialAccountType
- FiscalFirstPeriod
- FiscalYearBasedVariant
- FiscalYearLastPeriod
- FiscalYearPeriod
- FiscalYearPeriodBeginDate
- GLAccount
- GLAccountInChartOfAccounts
- GLAccountInCompanyCode
- MaximumDunningLevel
- PaymentBlockingReason
- PaymentDifferenceReason
- PaymentMethodForCountry
- Plant
- PlantName
- PostedAccountingDocumentEntryView
- ProfitCenter
- PurchaseOrderHistory
- PurchaseOrderHistoryCategory
- PurchaseOrderHistoryDeliveryCost
- PurchasingDocumentHeader
- PurchasingDocumentItem
- PurchasingGroup
- SpecialGLCode
- SpecialLastPeriod
- SpecialPeriodWithDate
- StorageLocation
- UnitOfMeasureName
- UserContactData
- UserDefaultContactData
- UserEmailAddressData
- UserFaxData
- UserMobilePhoneData
- UserOfficeData
- UserPhoneData
- ValuationArea
- Vendor
- VendorCellPhoneData
- VendorContactData
- VendorDefaultContactData
- VendorEmailAddressData
- VendorFaxData
- VendorPhoneData
- Year
Recommendation
SAP recommends that you create one analytic privilege containing all non-query view references. The restriction for this analytic privilege must be empty, which means that this analytic privilege grants full access to the non-query views mentioned above.
When business users work with the application SAP Invoice and Goods Receipt Reconciliation, you must assign them SQL SELECT, UPDATE, and INSERT privileges for the following:
- Schema: SAP_HBA
- Catalog object: sap.hba.apps.grircm.db/GRIRCMSTATUS
- SAP HANA database table: sap_hba_apps_grircm_db_GRIRCMSTATUS (this is delivered with the application)
The application checks the user’s SQL SELECT, UPDATE, and INSERT privileges, as well as the user’s read privilege while data is being updated. In this case, access is granted on row level.
Grant SELECT privilege on the following query views:
- GRIRAccountingDocumentQuery
- GRIRClearingMonitorDigestQuery
- GRIRClearingMonitorQuery
- GRIRClearingMonitorStatusClearedQuery
- GRIRClearingMonitorStatusOpenQuery
- GRIRClearingMonitorStatusQuery
- GRIRFiscalYearPeriodQuery
- GRIRGoodsReceiptQuery
- GRIRInvoiceReceiptQuery
- GRIRNumberOfOpenItemsQuery
- GRIROpenItemQuery
- GRIROwnUserContactDataQuery
- GRIRPurchaseOrderClearingAgingQuery
- GRIRPurchaseOrderHistoryQuery
- GRIRPurchaseOrderItemDigestQuery
- GRIRPurchaseOrderQuery
- GRIRPurOrdHistoryWithDeliveryCostsQuery
- GRIRStatusNumberOfPurOrdItemsQuery
- GRIRUserContactDataQuery
- GRIRUserDefaultContactDataQuery
- GRIRVendorContactDataQuery
- GRIRVendorDefaultContactDataQuery
Recommendation
SAP recommends that you do not grant SYSTEM user permissions to users accessing the SAP Invoice and Goods Receipt Reconciliation application, as this will give them full access to the data.

Defining Restrictions on Views in the SAP HANA Studio

You can restrict access to data for users of the SAP Invoice and Goods Receipt Reconciliation application as follows:

By defining row-based access restrictions by analytic privileges on query views according to your requirements for data access control. For example, in the query view GRIRClearingMonitorQuery, you can assign the restriction on the attribute SAPClient in the analytic privilege. This ensures client isolation, which means that this analytic privilege grants access to view the data for that particular client only. If you do not assign any restriction on the attribute SAPClient in the analytic privilege, this analytic privilege grants access to view data for all clients.
In the analytic privilege, you can restrict the range of attribute values and their combinations that a particular user can see in the application.

Access to the SAP HANA view GRIROwnUserContactData, which is used in the application to retrieve the SAP ERP user maintained in the application for a given SAP HANA user, can be restricted as follows:

By assigning the appropriate row-based analytic privilege for the attribute “User”, you can ensure that a user has access to the correct SAP ERP user only. The contact data of the SAP ERP user is used in the application for outgoing calls if telephony integration is configured and enabled.

Recommendation
SAP recommends that you define the authorizations as SAP HANA roles, which can then be more easily assigned to existing and new users. Such a role can, for example, contain the necessary SQL privileges for accessing the query views and non-query views, and for assigning analytic privileges to the query views and non-query views.

Metadata for Authorizations

You can define authorizations on the level of view fields. SAP delivers metadata, that is, authorization objects with the corresponding fields and activities, for the following views:

GRIRClearingMonitorDigestQuery
GRIRNumberOfOpenItemsQuery
GRIRPurchaseOrderclearingAgingQuery
GRIRClearingMonitorQuery
GRIRClearingMonitorStatusQuery
GRIROpenItemQuery
GRIRPurchaseOrderQuery
GRIRAccountingDocumentQuery
GRIRPurchaseOrderHistoryQuery
GRIRPurOrdHistoryWithDeliveryCostsQuery
GRIRPurchaseOrderItemDigestQuery
GRIRGoodsReceiptQuery
GRIRInvoiceReceiptQuery
GRIRVendorContactDataQuery
GRIRVendorDefaultContactDataQuery
GRIRClearingMonitorStatusClearedQuery
GRIRClearingMonitorStatusOpenQuery

This metadata is available in the SAP HANA Live Authorization Assistant. For more information, see the section SAP HANA Live Authorization Assistant under Privileges, as well as the documentation available on SAP Help Portal at http://help.sap.com/hba Start of the navigation path SAP HANA Live Tools Next navigation step SAP HANA Live Authorization Assistant End of the navigation path .